Leaked files show what a Cellebrite phone extraction report looks like

Earlier this year, we were sent a series of large, encrypted files purportedly belonging to a US police department as a result of a leak at a law firm, which was insecurely synchronizing its backup systems across the internet without a password.

Among the files was a series of phone dumps created by the police department with specialist equipment, which was created by Cellebrite, an Israeli firm that provides phone-cracking technology.

The digital forensics firm specializes in helping police collar the bad guys with its array of technologies. It shot to fame earlier this year when it was wrongly pinned as the company that helped to unlock the San Bernardino shooter’s iPhone, the same phone that embroiled Apple in a legal brouhaha with the FBI.

That’s not to say that Cellebrite couldn’t have helped.

Cellebrite’s work is largely secret, and the company balances on a fine line between disclosing its capabilities to drum up business and ensuring that only the “good guys” have access to its technology.

US police are said to have spent millions on this kind of phone-cracking technology. And it’s not surprising, because Cellebrite gets results.

The forensics company claims it can download almost every shred of data from almost any device on behalf of police intelligence agencies in over a hundred countries. It does that by taking a seized phone from the police, then plugging it in, and extracting messages, phone calls, voicemails, images, and more from the device using its own proprietary technology.

It then generates an extraction report, allowing investigators to see at a glance where a person was, who they were talking to, and when.

We obtained a number of these so-called extraction reports.

One of the more interesting reports by far was from an iPhone 5 running iOS 8. The phone’s owner didn’t use a passcode, meaning the phone was entirely unencrypted.

Here’s everything that was stored on that iPhone 5, including some deleted content.

(Apple’s iOS 8 was the first iPhone software version to come with passcode-based encryption. It would’ve been enough to thwart the average phone thief, but it might not have hindered some phone crackers with the right hardware. Cellebrite says it can’t crack the passcodes on the iPhone 4s and later. iPhone 5s handsets and later come with a secure enclave co-processor on the iPhone 5s’ main processor chip, which makes phone-cracking significantly harder.)

The phone was plugged into a Cellebrite UFED device, which in this case was a dedicated computer in the police department. The police officer carried out a logical extraction, which downloads what’s in the phone’s memory at the time. (Motherboard has more on how Cellebrite’s extraction process works.)

In some cases, it also contained data the user had recently deleted.

To our knowledge, there are a few sample reports out there floating on the web, but it’s rare to see a real-world example of how much data can be siphoned off from a fairly modern device.

We’re publishing some snippets from the report, with sensitive or identifiable information redacted.

Front cover: the first page of the report includes the law enforcement’s case number, examiner’s name, and department. It also contains unique identifying information of the device.

DEVICE INFORMATION:

Device information: The report details who the phone belongs to, including phone number, registered Apple ID, and unique identifiers, such as the device’s IMEI number.

EXTRACTION SOFTWARE PLUGINS:

Plugins: This part describes how the software works and what it does. It includes Quicktime metadata extraction and analytics generation. The software can also cross-reference data from the device to build up profiles across contacts, SMS, and other communications.

LOCATIONS:

Locations: the extraction software records the geolocation of every photo that’s been taken, and visualizes it on a map, allowing the investigator to see everywhere the phone owner has been and when.

MESSAGES:

Messages: In this “conversation” view, an investigator can see all of the text messages in chronological order, allowing them to see exactly what was said within a specified period of time.

USER ACCOUNTS:

User accounts: this portion reveals the phone owner’s user accounts on the phone, depending on how many apps are installed. In this case, only a username and password for Instagram was collected.

WIRELESS NETWORKS:

Wireless networks: the extraction software will download a list of all the wireless networks that the phone connected to, including their encryption type and the MAC address of the network’s router, and when the phone last connected to the network.

CALL LOG:

Call log: The report contains a full list of call records, including the kind of call (incoming or outgoing), the time, date, and phone number of the call, and duration of the call. This type of information is highly useful when collected by intelligence agencies.

CONTACTS:

Contacts: Contacts in the phone are vacuumed up by the extraction software, including names, phone numbers, and other contact information, such as email addresses. Even deleted content may still be collected.

INSTALLED APPS:

Installed apps: All of the installed apps, their version, and permission settings are recorded by the extraction software.

NOTES:

Notes: Any data written in the Notes app is downloaded, too. Here, we have redacted what appears to be bank account information.

VOICEMAIL:

Voicemail: voicemails stored on the phone are collectable and downloaded as audio files. It also includes the phone number of the person who left the voicemail and the duration.

CONFIGURATIONS AND DATABASES

Configurations and databases: property lists (“plist”) store app data on iPhones. These individual files contain a wealth of information, such as configurations, settings, options, and other cache files.

ACTIVITY ANALYTICS:

Activity analytics: for each phone number, the analytics engine figures out how many associated actions have taken place, such as text messages or calls.